Menu

Close

From LDAP to Samba

While my days of system administration are mostly a thing of the past, from time to time I miss getting my hands “dirty” with some real’ Linux work. As was the case when I decided to upgrade my Ubuntu 12.04 LTS box to Samba domain controller. Mainly, I was interested in having a single login and password across a variety of client computers, so I decided to use LDAP as a backend.

Disclaimer: Large parts of this tutorial are based on a variety of guides, manuals, and how-tos. I found however most of these either lacking some aspects of configuring LDAP and Samba, or to be contain instructions that would not work using my exact version of Ubuntu (which is quite a feat for the OFFICIAL server guide!).

Throughout this text I will be referring to my domain afqa123.com and my server name ldap.afqa123.com. For your own setup, please substitute the names accordingly.

To start make sure that the host name is set up correctly on your system, since that is what LDAP will base it’s distinguished name (DN) on.
$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 ldap.afqa123.com ldap
...

Installing LDAP
Install the LDAP backend via apt-get, and enter a new password to be used for LDAP administration in the configuration dialog that follows:
$ sudo apt-get install slapd ldap-utils

At this point you should have a basic LDAP schema under /etc/ldap/. For testing purposes, it makes sense to increase the logging output LDAP produces. To do so, create a file called called logging.ldif with the following content:
dn: cn=config
changetype: modify
add: olcLogLevel
olcLogLevel: stats

Then, set up the LDAP profile for NSS and inform your system to use it for authentication by selecting LDAP in the configuration dialog that follows:
$ sudo auth-client-config -t nss -p lac_ldap
$ sudo pam-auth-update

Install Samba
At this point you are ready to install Samba using apt-get:
$ sudo apt-get install samba samba-doc smbldap-tools

The smbldap-tools package should come with a script to automatically generate configuration files for you, but the current version (0.9.7) contains a bug which excludes said script. This means you have to copy the config scripts and edit them by hand:
$ sudo cp /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz /etc/smbldap-tools/
$ sudo gzip -d /etc/smbldap-tools/smbldap.conf.gz

Configuring LDAP Account Manager
While it is entirely possible to configure LDAP users from the command line, it is not very practical to do so. Let’s install the web-based LDAP account manager (LAM) to make our life a little easier:
$ apt-get install ldap-account-manager

LAM is available under http://localhost/lam/ at this point. You’ll first have to set up some things, so click on the LAM Configuration link at the top of the page, and select “Edit server profiles”. The default password for LAM is “lam”, which you should change eventually. Edit the “Tree suffix” to match your DN, and set the list of valid users to “cn=admin,dc=afqa123,dc=com”. Then, switch to the account types tab and update the LDAP suffixes for each type.

After saving the changes, you should be able to log into LAM using your administrative password. If all went well, you should see a couple of users (root, nobody), the Samba groups, as well as your Samba domain. At this point, create a new user for testing purposes and enable the Samba 3 extension.

Configure Samba
The final piece of the server configuration is Samba itself. You can copy the example config which comes with smbldap-tools:
$ sudo cp /usr/share/doc/smbldap-tools/examples/smb.conf.example /etc/samba/smb.conf

Joining clients to the domain
At this point, I was able to join the Samba domain using Windows XP clients, but in order to do the same on a Windows 7 machine, I had to update the following registry settings, as described in the Samba wiki:
[HKLM\System\CCS\Services\LanmanWorkstation\Parameters]
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0